SQL Server Performance

Is it possible to run Debugger without sysadmin permission?

Discussion in 'SQL Server 2005 General DBA Questions' started by DBADave, Aug 5, 2008.

  1. DBADave New Member

    I know with SQL 2005 (and with 2008) the BOL documentation says sysadmin permission is required to run debugger. I'm 90% certain there is no workaround to this requirement, but thought I would ask just in case someone found a way to grant Debugger permission without granting sysadmin permission.
    We don't allow our developers to have sysadmin permission on our development servers so I'm curious how other people handle the requests for Debugger permission in a similar environment to ours.
    An option is to grant permission to run Profiler traces, but we are concerned with the performance hits we could receive if someone runs a trace that grabs everything under the sun because they are unfamiliar with how to properly use Profiler.
    What do you do in your environment?
    Thanks, Dave
  2. satya Moderator

    We are using RUN AS process to enable that on time to time basis.
  3. DBADave New Member

    Satya, What is the process you are following? We tossed around the idea of using RUN AS with our AD security person yesterday. He suggested creating one extra account per developer to make it easier for us to track what they are doing and determine if someone is using the sysadmin account for something more then debugging SQL code. We would remove sysadmin rights every evening at a specific time and enable them at a specific time each morning. It's not the ideal solution, but it's probably better then giving every developer account sysadmin permission.
    Another option is to only enable the extra AD accounts on an "as needed" basis, but we don't want to be spending a lot of time each week enabling and disabling accounts. Some developers won't need to debug code that often, but others will be using the debugger daily.
    We could purchase development tools for debugging, but I've yet to research if we would be encountering the same sysadmin issue. Besides, this comes at a cost of about $200 - $300 per developer at the low end. Management will want to avoid this because we already have the debugger with Visual Studio. They are less concerned with securing development DB servers, insisting that developers should be held accountable for their actions. We agree with the accountability part, but unfortunately it would be the DBAs having to clean things up when someone does something they should not be doing with sysadmin permission. That's another topic for another day.
    A final option is to install Developer Edition on each desktop, but I believe that would present other issues we should avoid.
    Thanks again for sharing your ideas.
  4. satya Moderator

    Dave, even we had been that part of idea in running/granting the non-sysadmin users for debugging within development environment. But due to the manual intervention and additional overhead of checkout on day to day activity, we have chosen with RUN AS for 1 account with necessary privileges to deploy the tool for the developers who need that option, before that they need to ask for it.
  5. DBADave New Member

    Looks like we will be using the RUN AS approach and have a SQL job grant and revoke sysadmin permission to the account(s) at different times of the day. For example, at 6pm sysadmin will be revoked and at 6am it will be enabled. Thanks for your feedback.
  6. satya Moderator

    Cool, sounds like a plan and feedback if you find any issues/gotchas in this process.

Share This Page